This is an awesome question! Thanks for asking, Manu! The following is my two cents:
- A policy is the management intent formally expressed to correct or affect the behavior of an entity. Security policies are policies to enforce the CIA; they are one source of security requirements.
- A model is typically a structural representation of an entity (or detail description or scaled representation, as per NIST’s definition).
- A model is part of the solution domain, while the policy belongs to the problem domain.
- A security model as a design has to “formalize” (define precisely) the security policies and propose a solution to address their security requirements.
For example, a security policy may mandate that the system shall not result in the unauthorized disclosure of information. A security model may “formalize” the unauthorized disclosure of information as follows:
- Information shall not flow from a high-security level to a lower one.
- Information shall not flow to unauthorized entities.
It may propose a design in the meantime that uses:
- a state machine to prove the system is secure and
- a lattice framework to control information flow.
To sum up, a security model is a solution that addresses the requirements conveyed through policies and a design that dictates the implementation.